Composition of password-based protocols

Abstract

Formal and symbolic techniques are extremely useful for modelling and analysing security protocols. They have helped to improve our understanding of such protocols, allowed us to discover flaws, and they also provide support for protocol design. However, such analyses usually consider that the protocol is executed in isolation or assume a bounded number of protocol sessions. Hence, no security guarantee is provided when the protocol is executed in a more complex environment.

In this paper, we study whether password protocols can be safely composed, even when a same password is reused. More precisely, we present a transformation which maps a password protocol that is secure for a single protocol session (a decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure password protocols: (i) design a protocol intended to be secure for one protocol session; (ii) apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. Our technique also applies to compose different password protocols allowing us to obtain both inter-protocol and inter-session composition.

Appendices

Appendix A: Disjoint case

To establish this proposition, we first prove some lemmas about deduction and static equivalence.

Lemma 9

Let \(\phi\equiv\nu\tilde{n}.\sigma\) be a frame, t be a ground term that is not deducible from ϕ, M be a ground term deducible from ϕ, y be a variable not in \(\operatorname {dom}(\phi)\), and m be a name not in bn(ϕ). Then, we have that t is neither deducible from νm.ϕ, nor from \(\nu\tilde{n}. (\sigma\mid \{^{M}/{}_{y}\})\).

Proof

We prove the two points separately.

We have that t is not deducible from the frame νm.ϕ. We prove this result by contradiction. Assume that it is not the case. This means that there exists U such that \(\mathit {fn}(U) \cap \tilde{n} = \emptyset\), m∉fn(U), and Uσ= _E t. We easily deduce that U is also a recipe for t w.r.t. the frame ϕ, contradiction.

We have that t is not deducible from the frame \(\nu \tilde{n}. (\sigma\mid \{^{M}/{}_{y}\})\) . Let ζ be a recipe of M, i.e. a term such that \(\mathit {fn}(\zeta) \cap\tilde{n} = \emptyset\), w∉fn(ζ), and ζσ= _E M. We now prove the result by contradiction. Assume that t is deducible from the frame \(\nu \tilde{n}. (\sigma\mid \{^{M}/{}_{y}\})\). This means that there exists U such that \(\mathit {fn}(U) \cap\tilde{n} = \emptyset\), and U(σ∣{^M/ _y })= _E t. Let U′=U{^ζ/ _y }. We have that \(\mathit {fn}(U') \cap \tilde{n} = \emptyset\), and U′σ=(U{^ζ/ _y })σ= _E (U{^M/ _y })σ=U(σ∣{^M/ _y })= _E t. Thus, t is deducible from \(\nu\tilde{n}. \sigma\) using the recipe U′, contradiction. □

Lemma 10

Let \(\phi\equiv\nu w. \nu\tilde{n}. \sigma\) be a frame resistant to guessing attacks against w, M be a ground term deducible from ϕ, y be a variable not in \(\operatorname {dom}(\phi)\), and m be a name not in bn(ϕ). Then we have that the frames νm.ϕ and \(\nu w. \nu\tilde{n}. (\sigma\mid \{^{M}/{}_{y}\})\) are resistant to guessing attacks against w.

Proof

We prove the two points separately.

The frame νm.ϕ is resistant to guessing attacks against w. We prove this result by contradiction. Assume that it is not the case. This means that

$$\nu w. \nu m. \nu\tilde{n}. (\sigma\mid \{^{w}/{}_{x}\}) \not \mathrel{\approx} \nu w'. \nu w. \nu m. \nu\tilde{n}. (\sigma\mid \{^{w'}/{}_{x}\} ) $$

where w′ is a fresh name, and x a variable that does not occur in \(\operatorname {dom}(\sigma)\). By definition of ≈, this means that there exist M and N such that \((\mathit {fn}(M) \cup \mathit {fn}(N)) \cap\tilde{n} =\emptyset\), and w,w′,m∉fn(M)∪fn(N) with (M{^w/ _x }= _E N{^w/ _x })σ and \((M\{^{w'}/{}_{x}\} \not=_{\mathsf {E}}N\{^{w'}/{}_{x}\})\sigma\) (or conversely). Actually, the same test (M,N) can be used to show that ϕ is not resistant to guessing attacks against w.

The frame \(\nu w. \nu\tilde{n}. (\sigma\mid \{^{M}/{}_{y}\})\) is resistant to guessing attacks against w. Let ζ be a recipe of M, i.e. a term such that \(\mathit {fn}(\zeta) \cap\tilde{n} = \emptyset\), w∉fn(ζ), \(\mathit {fv}(\zeta) \subseteq \operatorname {dom}(\sigma)\), and ζσ= _E M. Moreover, we assume that w′∉fn(ζ). By hypothesis, we have that \(\nu w. \nu\tilde{n}. (\sigma\mid \{^{w}/{}_{x}\}) \mathrel{\approx} \nu w'. \nu w.\nu \tilde{n}. (\sigma\mid \{^{w'}/{}_{x}\})\) where w′ is a fresh name and x a variable that does not occur in \(\operatorname {dom}(\sigma)\). Our goal is to show that:

$$\nu w. \nu\tilde{n}. (\sigma\mid \{^{M}/{}_{y}\} \mid \{^{w}/{}_{x}\}) \mathrel{\approx}\nu w'. \nu w. \nu\tilde{n}. (\sigma\mid \{^{M}/{}_{y}\} \mid \{^{w'}/{}_{x}\} ). $$

Let U,V be two terms such that \((\mathit {fn}(U) \cup \mathit {fn}(V)) \cap\tilde{n} = \emptyset\), w,w′∉(fn(U)∪fn(V)), and (U= _E V)(σ∣{^M/ _y }∣{^w/ _x }). Let U′=U{^ζ/ _y } and V′=V{^ζ/ _y }. First, we have that \({(fn(U') \cup \mathit {fn}(V')) \cap \tilde{n} = \emptyset}\) and w,w′∉(fn(U′)∪fn(V′)). Moreover, we have that:

• U(σ∣{^M/ _y }∣{^w/ _x })= _E U′(σ∣{^w/ _x }), and

• V(σ∣{^M/ _y }∣{^w/ _x })= _E V′(σ∣{^w/ _x }).

Thanks to our hypothesis, we deduce that (U′= _E V′)(σ∣{^w′/ _x }) and (U{^ζ/ _y }= _E V{^ζ/ _y })(σ∣{^w′/ _x }), i.e. (U= _E V)(σ∣{^M/ _y }∣{^w′/ _x }). The other direction can be shown in a similar way. □

Proposition 1

Let A ₁,…,A _k be k extended processes such that \(A \stackrel{\mathsf {def}}{=} A_{1} \mid\cdots\mid A_{k}\) is also an extended process, and w _i ∈bn(A _i ) for each i∈{1,…,k}.

1. 1.

   Let t be a ground term that occurs as a subterm in A _i for some i∈{1,…,k}. If A _i preserves secrecy of t, then A preserves secrecy of t.

2. 2.

   Let \(\varPhi= ev(\tilde{x}) \Rightarrow_{(\mathsf {inj})} ev'(\tilde {x})\) be a correspondence property (injective or not). If Φ holds on each A _i , then Φ holds on A.

3. 3.

   If each A _i is resistant to guessing attack against w _i , then A is resistant to guessing attack against w ₁,…,w _k .

Proof

We prove this composition result by contradiction. Assume that the process A admits an attack. Let \(A_{i} \equiv\nu w_{i}. \nu\tilde{n}_{i}. P_{i}\) for each ∈{1,…,k}, \(\tilde{w} = w_{1}, \ldots, w_{k}\), and \(\tilde{n} = \tilde{n}_{1}, \ldots,\tilde{n}_{k}\). By definition of an attack, we have that there exists a trace:

$$A \stackrel{\mathsf {def}}{=} A_1 \mid\cdots\mid A_k \xrightarrow { \ell_1} B_1 \ldots \xrightarrow {\ell_n} B_n $$

with \(B_{n} = \nu\tilde{w}. \nu\tilde{n}. (P'_{1} \mid\sigma_{1} \mid \cdots\mid P'_{k} \mid\sigma_{k})\). Intuitively, the active substitutions in σ _i comes from A _i and \(P'_{i}\) is the remaining part of P _i . In addition, depending on the security property under study, we have that:

1. 1.

   (secrecy) We know that ϕ(B _n )⊢ _E t for some t that occurs as a subterm of \(A_{i_{0}}\) with i ₀∈{1,…,k}. Actually, since A→^∗ B _n , we have also that \(A_{i_{0}} \to^{*} \nu w_{i_{0}}. \nu\tilde{n}_{i_{0}}. (P'_{i_{0}} \mid\sigma_{i_{0}})\). Moreover, by hypothesis, we know that \(\nu w_{i_{0}}. \nu \tilde{n}_{i_{0}} . \sigma_{i_{0}} \not\vdash_{\mathsf {E}}t\). Relying on Lemma 9, we deduce that t is not deducible from \(\nu \tilde{w}. \nu\tilde{n}. (\sigma_{1} \mid\cdots\mid\sigma_{k})\), i.e. \(\phi(B_{n}) \not\vdash_{\mathsf {E}}t\), contradiction.

2. 2.

   (correspondence property) there exists j ₀ and a substitution σ such that \(\ell_{j_{0}} =_{\mathsf {E}}ev(\tilde{x}\sigma)\) and \(\ell_{j} \neq_{\mathsf {E}}ev'(\tilde{x}\sigma)\) for any j≤j ₀. Let i ₀∈{1,…,k} be such that the action \(\ell_{j_{0}}\) has been performed by \(A_{i_{0}}\). Actually, since A→^∗ B _n through the labels ℓ ₁,…,ℓ _n , we have also that \(A_{i_{0}} \to^{*} \nu w_{i_{0}}. \nu \tilde{n}_{i_{0}}. (P'_{i_{0}} \mid\sigma_{i_{0}})\) using the labels \(\ell_{j_{1}}, \ldots, \ell_{j_{p}}\) a subword of ℓ ₁,…,ℓ _n (i.e. the sequence ℓ ₁,…,ℓ _n can be obtained from \(\ell_{j_{1}}, \ldots, \ell_{j_{p}}\) by inserting some element in it). Moreover, we have that \(\ell_{j_{0}}\) occurs in \(\ell_{j_{1}}, \ldots, \ell_{j_{p}}\). From this, it is now quite easy to see that Φ does not hold on A _i , contradiction.

   We consider now the case of an injective correspondance property. We know that there exist j ₀ and σ such that:

   $$\# \{j \mid ev(x_1\sigma,\ldots,x_k\sigma) = \ell_j \mbox{ with $j \leq j_{0}$} \} > \# \{j \mid ev'(x_1\sigma,\ldots,x_k\sigma) = \ell_j \mbox{ with $j \leq j_{0}$} \}. $$

   In particular, this means that there exists i ₀∈{1,…,k} such that:

   $$\begin{array}{l} \#\{j\mid ev(x_1\sigma,\ldots,x_k\sigma) =\ell_j \mbox{ with $j \leq j_{0}$ and $\ell_{j}$ is an action performed by $A_{i_{0}}$}\}\\ \quad > \#\{j \mid ev'(x_1\sigma,\ldots,x_k\sigma) =\ell_j \mbox{ with $j \leq j_{0}$ and $\ell_{j}$ is an action performed by $A_{i_{0}}$}\}. \end{array} $$

   As before, we have that \(A_{i_{0}} \to^{*} \nu w_{i_{0}}. \nu \tilde{n}_{i_{0}}. (P'_{i_{0}} \mid\sigma_{i_{0}})\) using the labels \(\ell_{j_{1}}, \ldots, \ell_{j_{p}}\) (these labels correspond to the actions that are performed by \(A_{i_{0}}\) in the sequence ℓ ₁,…,ℓ _n ). Using the relation given above, it is quite easy to see that Φ does not hold on \(A_{i_{0}}\). This allows us to conclude.

3. 3.

   (guessing attack) the frame ϕ(B _n ) is not resistant to guessing attacks against \(\tilde{w}\). Actually, since A→^∗ B _n , we have also that \(A_{i} \to^{*} \nu w_{i}. \nu\tilde{n}_{i}. (P'_{i} \mid\sigma_{i})\) for each i∈{1,…,k}. Moreover, by hypothesis, we know that \(\nu w_{i}. \nu \tilde{n}_{i} . \sigma_{i}\) is resistant to guessing attacks against w _i . Relying on Lemma 10, we obtain the following equivalences:

   $$\begin{array}{rcl} \nu w_1. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) & \mathrel{\approx}& \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) \\ \nu w_2. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) & \mathrel{\approx}& \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) \\ & \vdots& \\ \nu w_k. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) & \mathrel{\approx}& \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) \\ \end{array} $$

   Applying Lemma 1 (item 1), we deduce that:

   $$\begin{array}{rcl} \nu w_1. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) & \mathrel{\approx}& \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) \\ \nu w_1. \nu w_2. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma _k) & \mathrel{\approx}& \nu w_1. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid \sigma_k) \\ & \vdots& \\ \nu w_1. \ldots. \nu w_k. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid \sigma_k) & \mathrel{\approx}& \nu w_1. \ldots. \nu w_{k-1}. \nu\tilde{n}. (\sigma_1 \mid\cdots\mid\sigma_k) \\ \end{array} $$

   By transitivity of ≈, we deduce that \(\nu\tilde{w}. \nu\tilde{n}. (\sigma_{1} \mid\cdots\mid\sigma_{k}) \; \mathrel{\approx}\; \nu\tilde{n}. (\sigma_{1} \mid\cdots\mid\sigma_{k})\). This means that ϕ(B _n ) is not resistant to guessing attacks against \(\tilde{w}\), contradiction.

 □

Appendix B: Transformation

The goal of this section is to prove Theorem 1.

2.1 B.1 Proof of Lemma 5

Before to prove Lemma 5, we introduce the following cutting function.

Definition 12

Given a frame ϕ, a term U=h(U ₁,U ₂) and a name a, the cutting function cut w.r.t. ϕ,U and a is defined recursively as cut _ϕ (u)=u when u is a name or a variable and:

$$\mathsf {cut}_{\phi} (f(T_1,\ldots,T_k) ) = \left \{ \begin{array}{l} a \quad\mbox{if $f=\mathsf {h}$, $k=2$, $(U_{1}=_{\mathsf {E}}T_{1})\phi$ and $(U_{2} =_{\mathsf {E}}T_{2})\phi$}\\ f(\mathsf {cut}_{\phi}(T_1),\ldots, \mathsf {cut}_{\phi}(T_k)) \quad\mbox{otherwise} \end{array} \right . $$

When \(\operatorname {dom}(\phi) = \emptyset\), we denote it at cut ₀. In this case, the function cut ₀ is a replacement modulo E as defined in [13]. Hence, we have the following lemma.

Lemma 11

Let U=h(U ₁,U ₂) be a term and a be a name. We have that:

$$M =_\mathsf {E}N \quad \Rightarrow\quad \mathsf {cut}_0(M) =_\mathsf {E}\mathsf {cut}_0(N) \quad \mbox{\textit{for any term} $M$ \textit{and} $N$.} $$

Lemma 12

Let \(\phi=_{\alpha}\nu\tilde{n}.\sigma\) be a frame. Let \(w, \overline {w}\) and c be three names such that \(w, c\notin\tilde{n}\) and \(\overline {w}\) is a fresh name. Let cut be the cutting function w.r.t. \(\phi \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\), \(\mathsf {h}(c,\overline {w})\), w and cut ₀ be the cutting function w.r.t. \(\mathsf {h}(c,\overline {w})\) and w. Let M be a term such that \(\mathit {fn}(M) \cap \tilde{n} = \emptyset\). We have that

$$\mathsf {cut}_0(M(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})) = \mathsf {cut}(M)\sigma. $$

Proof

We prove this result by structural induction on M. If M is a name or a variable such that \(M \notin \operatorname {dom}(\phi)\), we have that

$$\mathsf {cut}_0(M(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})) = \mathsf {cut}(M)\sigma= M. $$

Now, assume that M is a variable, say x, such that \(x \in \operatorname {dom}(\phi)\). Let T=xσ. Note that \(\overline {w}\) does not occur in T since \(\overline {w}\) is fresh w.r.t. σ. Hence, we have that²:

$$\mathsf {cut}_0 (M (\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} )) = \mathsf {cut}_0 (T\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ) = T = x \sigma= \mathsf {cut}(M)\sigma. $$

Now, we deal with the induction step: M=f(M ₁,…,M _k ). We distinguish two cases:

1. 1.

   f=h, k=2, \((M_{1} =_{\mathsf {E}}c)(\phi \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\) and \((M_{2} =_{\mathsf {E}}\overline {w})(\phi \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\). In such a case, we have that cut(M)σ=w. Moreover, we have also that \(M_{1}\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_{\mathsf {E}}c\) and \(M_{2}\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_{\mathsf {E}}\overline {w}\). Hence, we have that

   $$\mathsf {cut}_0 (M (\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ) ) = \mathsf {cut}_0 (\mathsf {h}(M_1 (\sigma \{^{ \mathsf {h}(c,\overline {w})}/{}_{w}\} ), M_2 (\sigma \{^{\mathsf {h}(c, \overline {w})}/{}_{w}\} ) ) ) = w. $$
2. 2.

   Otherwise, we have that cut(f(M ₁,…,M _k ))=f(cut(M ₁),…,cut(M _k )). Hence, we have that \(\mathsf {cut}_{0}(M(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})) = f(\mathsf {cut}_{0}(M_{1}(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})), \ldots,\mathsf {cut}_{0}(M_{k}(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})))\). Indeed, otherwise we will have that f=h, \((M_{1} =_{\mathsf {E}}c)(\phi \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\) and also that \((M_{2} =_{\mathsf {E}}\overline {w})(\phi \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\). This situation corresponds to our first case. Hence, we have that

   $$\begin{array}{l} \mathsf {cut}_0(M(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})) \\ [0.5mm] \quad = f(\mathsf {cut}_0(M_1(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})), \ldots,\mathsf {cut}_0(M_k(\sigma \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}))) \\ [0.5mm] \quad = f(\mathsf {cut}(M_1)\sigma, \ldots, \mathsf {cut}(M_k)\sigma) \quad \mbox{by induction hypothesis} \\ [0.5mm] \quad = f(\mathsf {cut}(M_1), \ldots, \mathsf {cut}(M_k))\sigma\\ [0.5mm] \quad = \mathsf {cut}(M)\sigma \end{array} $$

   This allows us to conclude the proof.

 □

Lemma 5

Let ϕ ₁ and ϕ ₂ be two frames such that ϕ ₁≈ϕ ₂. Let w,c be such that w,c∉bn(ϕ ₁)∪bn(ϕ ₂). We have that

$$\phi_1\{^{\mathsf {h}(c,w)}/{}_{w}\} \mathrel{\approx}\phi_2 \{^{\mathsf {h}(c,w)}/{}_{w}\}. $$

Proof

We will show that \(\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} \mathrel{\approx} \phi_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\) for some fresh names \(\overline {w}\). This will allow us to conclude that ϕ ₁{^h(c,w)/ _w }≈ϕ ₂{^h(c,w)/ _w } by simply renaming \(\overline {w}\) with w. For this we have to show that for all terms M and N, we have that: \((M =_{\mathsf {E}}N)\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} \Rightarrow(M=_{\mathsf {E}}N)\phi_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\) (and conversely). Actually, the 2^nd implication can be proved in a similar way, so we will focuss on the first one.

Actually, it is sufficient to establish this result for all terms M and N such that w∉fn(M)∪fn(N) since w does not occur in \(\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\) and \(\phi_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\). Let σ ₁ and σ ₂ be two substitutions such that \(\phi_{1} =_{\alpha}\nu\tilde{n}_{1}.\sigma_{1}\) and \(\phi_{2} =_{\alpha}\nu \tilde{n}_{2}.\sigma_{2}\) for some sequences of names \(\tilde{n}_{1}\) and \(\tilde{n}_{2}\) such that \((\mathit {fn}(M) \cup \mathit {fn}(N)) \cap(\tilde{n}_{1} \cup \tilde{n}_{2}) = \emptyset\). Moreover, we can assume that \(w, \overline {w}, c\notin \tilde{n}_{1} \cup\tilde{n}_{2}\). Hence, we have that \(\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_{\alpha}\nu \tilde{n}_{1}.\sigma_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\), and \(\phi_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_{\alpha}\nu \tilde{n}_{2}.\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\).

Let cut be the cutting function w.r.t. \(\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\), \(\mathsf {h}(c,\overline {w})\) and w, and cut ₀ be the cutting function w.r.t. \(\mathsf {h}(c,\overline {w})\) and w. We show by induction on max(|M|,|N|)³ that

1. 1.

   \((\mathsf {cut}(M)\sigma_{2})\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_{\mathsf {E}}M(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\), and

2. 2.

   \((M =_{\mathsf {E}}N)(\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) \Rightarrow(M=_{\mathsf {E}}N)(\phi_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\).

Base case: max(|M|,|N|)=1

1. 1.

   If M is a name (note that M≠w) or a variable such that \({M \notin \operatorname {dom}(\phi_{2})}\), we have that \({(\mathsf {cut}(M)\sigma_{2})\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} = M}\) and \(M(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) = M\). If M is a variable, say x, such that \(x \in \operatorname {dom}(\phi_{2})\), then we have that

   $$(\mathsf {cut}(M)\sigma_2 )\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} = (x \sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} = x ( \sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ) = M ( \sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ). $$
2. 2.

   The second point can be proved as follows:

   $$\begin{array}{l@{\quad }l} (M =_\mathsf {E}N)(\phi_1\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\\[0.5mm] \quad \Rightarrow\quad M(\sigma_1\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) =_\mathsf {E}N(\sigma_1\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) \\ [0.5mm] \quad \Rightarrow\quad \mathsf {cut}_0(M(\sigma_1\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})) =_\mathsf {E}\mathsf {cut}_0(N(\sigma_1\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})) & \mbox{by Lemma~{11}}\\[0.5mm] \quad \Rightarrow\quad \mathsf {cut}(M)\sigma_1 =_{\mathsf {E}} \mathsf {cut}(N)\sigma_1 & \mbox{by Lemma~{12}}\\[0.5mm] \quad \Rightarrow \quad (\mathsf {cut}(M) =_\mathsf {E}\mathsf {cut}(N))\phi_1 \\[0.5mm] \quad \Rightarrow \quad (\mathsf {cut}(M) =_\mathsf {E}\mathsf {cut}(N))\phi_2 & \mbox{since $\phi_{1} \mathrel{\approx}\phi_{2}$}\\[0.5mm] \quad \Rightarrow \quad \mathsf {cut}(M)\sigma_2 =_\mathsf {E}\mathsf {cut}(N)\sigma_2 \\[0.5mm] \quad \Rightarrow \quad (\mathsf {cut}(M)\sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_\mathsf {E}(\mathsf {cut}(N)\sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} \\[0.5mm] \end{array} $$

   The last step comes from the fact that = _E is closed by substitutions of terms for names. Since, |M|=|N|=1, we can apply our previous result to obtain that:

   $$(\mathsf {cut}(M)\sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_\mathsf {E}M(\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}),\qquad (\mathsf {cut}(N)\sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_\mathsf {E}N(\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}). $$

   We have that \(M(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) =_{\mathsf {E}}N(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\), thus \((M =_{\mathsf {E}}N)(\phi_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\).

Induction step: max(|M|,|N|)≥2. We assume w.l.o.g. that |M|≥|N|, so M=f(M ₁,…,M _k ).

1. 1.

   To establish the first point, we distinguish two cases:

   • f=h, k=2, \((M_{1} =_{\mathsf {E}}c)(\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\) and \((M_{2} =_{\mathsf {E}}\overline {w})(\phi_{1}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\). In such a case, we have that cut(M)=w, thus \((\mathsf {cut}(M)\sigma_{2})\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} = \mathsf {h}(c,\overline {w})\). Since |M ₁|+|c|<|M|+|N| and \(|M_{2}| + |\overline {w}| < |M| + |N|\), we have that

     $$(M_1 =_\mathsf {E}c) (\phi_2 \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ) \quad \mbox{and}\quad (M_2 =_\mathsf {E}\overline {w}) (\phi_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) $$

     Hence, we have that

     $$M (\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ) = \mathsf {h}(M_1 (\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ), M_2 (\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ) ) =_\mathsf {E}\mathsf {h}(c,\overline {w}) $$

   • Otherwise, we have that cut(M)=f(cut(M ₁),…,cut(M _k )). Thus,

     $$\begin{array}{l} (\mathsf {cut}(M)\sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\\[3pt] \quad = (f(\mathsf {cut}(M_1), \ldots, \mathsf {cut}(M_k))\sigma _2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}\\[3pt] \quad = f((\mathsf {cut}(M_1)\sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}, \ldots,(\mathsf {cut}(M_k)\sigma_2)\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} )\\[3pt] \quad =_\mathsf {E}f(M_1(\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}), \ldots,M_k(\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) )\quad \mbox{by induction hypothesis}\\[3pt] \quad = f(M_1, \ldots, M_k)(\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\\[3pt] \quad = M(\sigma_2\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) \end{array} $$
2. 2.

   To prove the second point, it is easy to establish (as in the base case) that

   $$(M =_\mathsf {E}N) (\phi_1\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} ) \Rightarrow(\mathsf {cut}(M)\sigma_2 )\{^{\mathsf {h}( c,\overline {w})}/{}_{w}\} =_\mathsf {E}(\mathsf {cut}(N)\sigma_2 ) \{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} $$

   Thanks to our previous result, we have that \((\mathsf {cut}(M)\sigma_{2})\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_{\mathsf {E}}M(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\), and \((\mathsf {cut}(N)\sigma_{2})\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\} =_{\mathsf {E}}N(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\). We conclude that \(M(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\}) =_{\mathsf {E}}N(\sigma_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\), and thus \((M =_{\mathsf {E}}N)(\phi_{2}\{^{\mathsf {h}(c,\overline {w})}/{}_{w}\})\).

This allows us to conclude the proof. □

2.2 B.2 Proof of Proposition 3

The two following lemmas will be useful to deal with the cases of an input (Lemma 3) and a conditional (Lemma 4) in the proof of Proposition 3.

Lemma 3

Let ϕ be a frame such that c,w∉bn(ϕ) and ϕ′{^h(c,w)/ _w }= _E ϕ for some ϕ′. If νw.ϕ⊢ _E M then there exists M′ such that M′{^h(c,w)/ _w }= _E M and νw.ϕ′⊢ _E M′.

Proof

Let \(\phi= \nu\tilde{n}.\sigma\) and \(\phi'= \nu\tilde{n}. \sigma'\) for some sequence of names \(\tilde{n}\) and some substitutions σ and σ′. We have that σ′{^h(c,w)/ _w }= _E σ. Let M be such that νw.ϕ⊢ _E M, i.e. there exists ζ such that \(\mathit {fn}(\zeta) \cap(\tilde{n} \cup\{w\}) = \emptyset\) and ζσ= _E M. Let M′=ζσ′. We have that νw.ϕ′⊢ _E M′ and also that M′{^h(c,w)/ _w }=(ζσ′){^h(c,w)/ _w }=ζ(σ′{^h(c,w)/ _w })= _E ζσ= _E M. □

Lemma 4

Let M, N, M′ and N′ be four terms such that M= _E M′{^h(c,w)/ _w } and N= _E N′{^h(c,w)/ _w }. Then, we have that

$$M =_\mathsf {E}N \quad \mbox{\textit{if}, \textit{and only if},} \quad M'=_\mathsf {E}N' $$

Proof

As = _E is closed by substitutions of terms for names M′= _E N′ implies M= _E N. Now, let M and N be two terms such that M= _E N. We have that M′{^h(c,w)/ _w }= _E N′{^h(c,w)/ _w }. Thus, according to Lemma 11, we have that

$$\mathsf {cut}_0 (M'\{^{\mathsf {h}(c,w)}/{}_{w}\} ) =_\mathsf {E}\mathsf {cut}_0 (N'\{^{\mathsf {h}(c,w)}/{}_{w}\} ) $$

where cut ₀ represents the cutting function w.r.t. h(c,w) and w. Now, it is easy to establish, by structural induction on M′ that cut ₀(M′{^h(c,w)/ _w })=M′. This allows us to conclude. □

We will prove Proposition 3 by induction on the prooftree witnessing the derivation. First, we establish a similar result for ≡.

Lemma 13

Let A be a process such that w∉bn(A) and A′{^h(c,w)/ _w }= _E A for some A′. Suppose that A≡B for some process B. Then w∉bn(B) and there exists a process B′ such that B′{^h(c,w)/ _w }= _E B and A′≡B′.

Proof

We prove this result by induction on the proof tree showing that A≡B. All the base cases are easy to prove. The only interesting inductive case is the case of an application of an evaluation context. Suppose that the proof tree showing that A≡B ends with an instance of such a rule, i.e.

$$\frac{A_1 \equiv B_1}{C[A_1] \equiv C[B_1]} $$

where A=C[A ₁] and B=C[B ₁]. By hypothesis, we know that there exists A′ such that A′{^h(c,w)/ _w }= _E C[A ₁]. Hence we have that \(A' = C'[A'_{1}]\) where C′{^h(c,w)/ _w }= _E C and \(A'_{1} \{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}A_{1}\) for some evaluation context C′ and some process \(A_{1}'\). Hence we can apply our induction hypothesis and we obtain that w∉bn(B ₁) and there exists \(B'_{1}\) such that \(B'_{1}\{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}B_{1}\), and \(A_{1}' \equiv B_{1}'\). We have that w∉bn(C[B ₁]). Let \(B' = C'[B_{1}']\). We have that \((C'[B_{1}'])\{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}C[B_{1}] = B\) and A′≡B′. □

Now, we can prove the following proposition.

Proposition 3

Let A be a process with c,w∉bn(A) and A′{^h(c,w)/ _w }= _E A for some A′. If \(\nu w. A \xrightarrow {\ell} \overline{B}\), then \(\overline{B} \equiv \nu w. B\) and there exists a process B′ and a label ℓ′ such that B′{^h(c,w)/ _w }= _E B, ℓ′{^h(c,w)/ _w }= _E ℓ, and \(\nu w. A'\xrightarrow {\ell'} \nu w. B'\).

Proof

We have that \(\nu w. A \xrightarrow {\ell} \overline{B}\) and it is easy to see that \(w \in \mathit {bn}(\overline{B})\). According to our calculus, we can always by using structural equivalence move a restriction in front of the process, thus we have that \(\overline{B} \equiv\nu w. B\) for some process B. It is easy to see that \(A \xrightarrow {\ell} B\) and when ℓ=in(M), we have that νw.ϕ(A)⊢ _E M. As νw.ϕ(A)⊢ _E M, by Lemma 3, we have that νw.ϕ(A′)⊢ _E M′ for some M′ such that M′{^h(c,w)/ _w }= _E M. This allows us to ensure that, in the case of an input, the side condition corresponding to an application of evaluation context is satisfied. Now, we show that there exists B′ and ℓ′ such that B′{^h(c,w)/ _w }= _E B, ℓ′{^h(c,w)/ _w }= _E ℓ, and A′→B′ by induction on the proof tree showing that \(A \xrightarrow {\ell} B\). This will allows us to conclude that \(\nu w. A'\xrightarrow {\ell'} \nu w. B'\).

Base cases.

• In. In such a case, A=in(x).P, B=P{^M/ _x }. We have that A′=in(x).P′ and P′{^h(c,w)/ _w }= _E P. Let B′=P′{^M′/ _x } and ℓ′=in(M′). We have that ℓ′{^h(c,w)/ _w }= _E ℓ, B′{^h(c,w)/ _w }=(P′{^M′/ _x }){^h(c,w)/ _w }= _E P{^M/ _x }=B, and \(A'\xrightarrow {\ell'} B'\).

• Out. We suppose that A=out(M).P and B=P∣{^M/ _x }. We have that A′=out(M′).P′ where P′{^h(c,w)/ _w }= _E P and M′{^h(c,w)/ _w }= _E M. Let B′=P′∣{^M′/ _x } and ℓ′=out(M′). We have ℓ′{^h(c,w)/ _w }= _E ℓ, B′{^h(c,w)/ _w }=(P′∣{^M′/ _x }){^h(c,w)/ _w }= _E B, and \(A'\xrightarrow {\ell'} B'\).

• Event. We suppose that \(A=\text {ev}(\tilde{M}).P\) and B=P. We have that \(A' = \text {ev}(\tilde{M}').P'\) where P′{^h(c,w)/ _w }= _E P and \(\tilde{M}' \{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}M\). Let B′=P′ and \(\ell'=ev(\tilde{M}')\). We have ℓ′{^h(c,w)/ _w }= _E ℓ, B′{^h(c,w)/ _w }=P′{^h(c,w)/ _w }= _E B, and \(A'\xrightarrow {\ell'} B'\).

• Then. We suppose that A= “if M ₁=M ₂ then P else Q” and B=P. By definition of = _E we have that A′= “\(\mbox{if } M'_{1} = M'_{2} \mbox{ then } P' \mbox{ else } Q'\)” where P′{^h(c,w)/ _w }= _E P, Q′{^h(c,w)/ _w }= _E Q and \(M'_{i} \{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}M_{i}\) (i=1,2). Let B′=P′ and ℓ′=τ. As M ₁= _E M ₂, by Lemma 4 we have that \(M'_{1} =_{\mathsf {E}}M'_{2}\). Hence, we indeed have that ℓ′{^h(c,w)/ _w }= _E ℓ, B′{^h(c,w)/ _w }=P′{^h(c,w)/ _w }= _E P=B, and A′→B′.

• Else. This case is similar to the previous one.

Inductive cases. The inductive case corresponding to an application of structural equivalence directly follows from Lemma 13. Hence, it remains to show the case of an application of an evaluation context. Suppose that the proof \(A \xrightarrow {\ell} B\) finishes by an application of the following rule

$$\frac{A_1 \xrightarrow {\ell} B_1}{C[A_1] \xrightarrow {\ell} C[B_1]} $$

where A=C[A ₁] and B=C[B ₁]. By hypothesis, we know that there exists A′ such that A′{^h(c,w)/ _w }= _E A. By definition of = _E we have that \(A' = C'[A_{1}']\) where C′{^h(c,w)/ _w }= _E C and \(A_{1}' \{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}A_{1}\) for some evaluation context C′ and some process \(A_{1}'\). Hence we can apply our induction hypothesis to obtain that there exist \(B_{1}'\) and ℓ′ such that ℓ′{^h(c,w)/ _w }= _E ℓ, \(B_{1}'\{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}B_{1}\), and \(A_{1}' \xrightarrow {\ell'} B_{1}'\). Let \(B' = C'[B_{1}']\). We have that \(B'\{^{\mathsf {h}(c,w)}/{}_{w}\} = (C'[B_{1}'])\{^{\mathsf {h}(c,w)}/{}_{w}\} =_{\mathsf {E}}B\), and \(A'\xrightarrow {\ell'} B'\). This last result is obtained by application of the evaluation context C′ on \(A'_{1} \xrightarrow {\ell'} B'_{1}\). □

Appendix C: Composition

In this section we will use the following notations. Given terms t ₁,…,t _k and distinct names c ₁,…,c _k ,w ₁,…,w _k , and w that do not occur in t ₁,…,t _k , we denote by \(\delta_{w_{i},w}\) the replacement \(\{^{w}/{}_{w_{1}}\} \ldots \{^{w}/{}_{w_{k}}\}\), by \(\delta_{c_{i},t_{i}}\) the replacement \(\{^{t_{1}}/{}_{c_{1}}\} \ldots \{^{t_{k}}/{}_{c_{k}}\}\), and by \(\delta_{w_{i},\mathsf {h}(c_{i},w_{i})}\) the replacement \(\{^{\mathsf {h}(c_{1},w_{1})}/{}_{w_{1}}\} \ldots \{^{\mathsf {h}(c_{k},w_{k})}/{}_{w_{k}}\}\).

3.1 C.1 Proof of Lemma 8

Before proving Lemma 8, we introduce the following splitting functions.

Definition 13

Let \(\psi= \nu\tilde{n}. \sigma\) be a frame such that \({w \notin \tilde{n}}\). Let t ₁,…,t _k be distinct ground terms modulo E. Let c ₁,…,c _k ,w ₁,…,w _k be distinct fresh names.

Splitting function. Let M be a term such that \(\mathit {fn}(M) \cap\tilde{n} = \emptyset\). The splitting function split _ψ w.r.t. ψ, w, c ₁,…,c _k , w ₁,…,w _k ,t ₁,…,t _k is defined recursively as split _ψ (M)=M when M is a name or a variable and split _ψ (f(M ₁,…,M _ℓ )) is equal to:

• h(c _i ,w _i ) if f=h, ℓ=2, M ₁ σ= _E t _i and M ₂ σ= _E w with 1≤i≤k;

• f(split _ψ (M ₁),…,split _ψ (M _ℓ )) otherwise.

Ground splitting function. Let M be a term. The ground splitting function split ₀ w.r.t. w, c ₁,…,c _k , w ₁,…,w _k ,t ₁,…,t _k is defined recursively as split ₀(M)=M when M is a name or a variable and split ₀(f(M ₁,…,M _ℓ )) is equal to:

• h(c _i ,w _i ) if f=h, ℓ=2, M ₁= _E t _i and M ₂= _E w with 1≤i≤k;

• f(split ₀(M ₁),…,split ₀(M _ℓ )) otherwise.

As soon as t ₁,…,t _k are distinct terms modulo E, the function split ₀ is a replacement modulo E as defined in [13]. Hence, we have the following lemma.

Lemma 14

Let split ₀ be a ground splitting function as defined in Definition 13. Let M and N be two terms. We have that:

$$M =_\mathsf {E}N \quad \Rightarrow\quad \mathsf {split}_0(M) =_\mathsf {E}\mathsf {split}_0(N) $$

Lemma 15

Let t ₁,…,t _k be distinct ground terms modulo E and c ₁,…,c _k ,w ₁,…,w _k be distinct fresh names, i.e., not occurring in fn(t ₁,…,t _k ). Let \(\phi= \nu\tilde{n}.\sigma\) be a frame such that \(c_{1},\ldots, c_{k}, w_{1}, \ldots, w_{k},w \notin\tilde{n}\), \(w \not \in \mathit {fn}(\sigma)\), and \(\sigma =_{\mathsf {E}}\sigma_{0}\delta_{w_{i},\mathsf {h}(c_{i},w_{i})}\) for some substitution σ ₀. Let split _ψ (resp. split ₀) be the splitting function (resp. ground splitting function) w.r.t. \(\psi= \nu\tilde{n}. (\sigma\delta_{c_{i},t_{i}}\delta_{w_{i},w})\), w, c ₁,…,c _k , w ₁,…,w _k , t ₁,…,t _k . Let M be a term such that \({\mathit {fn}(M) \cap\tilde{n} = \emptyset}\). We have that:

$$\mathsf {split}_0 (M (\sigma\delta_{c_i,t_i} \delta_{w_i,w}) ) =_\mathsf {E}\mathsf {split}_{\psi}(M)\sigma. $$

Proof

We prove this result by structural induction on M. If M is a name or a variable such that \(M \notin \operatorname {dom}(\psi) = \operatorname {dom}(\sigma)\), the result trivially holds. Now, assume that M is a variable, say x, such that \(x \in \operatorname {dom}(\psi)\) and let T=xσ. We have that \(T =_{\mathsf {E}}T'\{^{\mathsf {h}(c_{1},w_{1})}/{}_{w_{1}}\} \dots \{^{\mathsf {h}(c_{k},w_{k})}/{}_{w_{k}}\}\) for some T′, and w does not occur in T. Hence, we have that:

$$\begin{array}{rcl} \mathsf {split}_0(x\psi) & = & \mathsf {split}_0(x(\sigma\delta_{c_i,t_i}\delta_{w_i,w})) \\[3pt] &=_\mathsf {E}& \mathsf {split}_0(T \delta_{c_i,t_i}\delta_{w_i,w}) \\[3pt] & =_\mathsf {E}&T\\[3pt] &= & \mathsf {split}_{\psi}(x)\sigma \end{array} $$

Now, we can deal with the induction step, i.e. M=f(M ₁,…,M _ℓ ). We distinguish two cases:

1. 1.

   f=h, ℓ=2, \(M_{1}(\sigma\delta_{c_{i},t_{i}}\delta_{w_{i},w}) =_{\mathsf {E}}t_{i_{0}}\), and \(M_{2}(\sigma\delta_{c_{i},t_{i}}\delta_{w_{i},w}) =_{\mathsf {E}}w\) with 1≤i ₀≤k. In such a case, we have that \(\mathsf {split}_{\psi}(M) = \mathsf {h}(c_{i_{0}},w_{i_{0}})\), and

   $$M(\sigma\delta_{c_i,t_i}\delta_{w_i,w}) = \mathsf {h}(M_1 (\sigma\delta_{c_i,t_i}\delta_{w_i,w}), M_2 (\sigma\delta_{c_i,t_i}\delta_{w_i,w}) ) =_\mathsf {E}\mathsf {h}(t_{i_0},w) $$

   Hence, we have that

   $$\begin{array}{rcl} \mathsf {split}_0(M(\sigma\delta_{c_i,t_i}\delta_{w_i,w})) & =_\mathsf {E}& \mathsf {split}_0(\mathsf {h}(t_{i_0},w)) \\[3pt] & =_\mathsf {E}&\mathsf {h}(c_{i_0},w_{i_0})\\[3pt] &= & \mathsf {split}_{\psi}(M)\sigma \end{array} $$
2. 2.

   Otherwise, we have that split _ψ (f(M ₁,…,M _ℓ ))=f(split _ψ (M ₁),…,split _ψ (M _ℓ )), and thus we have also that:

   $$\mathsf {split}_0 (M(\sigma\delta_{c_i,t_i} \delta_{w_i,w}) ) = \mathsf {f}(\mathsf {split}_0 (M_1( \sigma\delta_{c_i,t_i}\delta_{w_i,w}) ), \ldots, \mathsf {split}_0 (M_1(\sigma\delta_{c_i,t_i} \delta_{w_i,w}) ) ). \hfill\null $$

   Hence, relying on our induction hypothesis, we have that:

   $$\begin{array}{rcl} \mathsf {split}_0(M(\sigma\delta_{c_i,t_i}\delta_{w_i,w})) &=_\mathsf {E}& \mathsf {f}(\mathsf {split}_{\psi}(M_1)\sigma, \ldots,\mathsf {split}_{\psi}(M_\ell)\sigma)\\[3pt] & = & \mathsf {split}_{\psi}(M)\sigma \end{array} $$

This allows us to conclude. □

Lemma 8

Let t ₁,…,t _k be distinct ground terms modulo E. Let c ₁,…,c _k ,w ₁,…,w _k be distinct fresh names, and \(\phi= \nu\tilde{n}.\sigma\) be a frame such that \(c_{1},\ldots, c_{k}, w_{1}, \ldots, w_{k} \notin\tilde{n}\), and \(\sigma=_{\mathsf {E}}\sigma_{0} \delta_{w_{i},\mathsf {h}(c_{i},w_{i})}\) for some substitution σ ₀. Let w be a fresh name, and \(\psi= \nu\tilde{n}. (\sigma \delta_{c_{i},t_{i}}\delta_{w_{i},w})\). For each 1≤i≤k, we also assume that νw.ψ⊢ _E t _i .

If \(\nu\tilde{w}.\phi\) is resistant to guessing attacks against \(\tilde{w} = \{w_{1},\ldots, w_{k}\}\), then νw.ψ is resistant to guessing attacks against w.

Proof

To prove this, we have to establish that ψ≈ψ{^w′/ _w } where w′ is a fresh name. Hence, we have to show that for all terms M and N such that \(\mathit {fn}(M,N) \cap\tilde{n} = \emptyset\), we have that:

1. 1.

   (M= _E N)ψ⇒(M= _E N)(ψ{^w′/ _w }); and

2. 2.

   (M= _E N)(ψ{^w′/ _w })⇒(M= _E N)ψ.⁴

Actually, it is sufficient to establish this result for all terms M and N such that c ₁,…,c _k , w ₁,…,w _k do not occur in M and N. This comes from the fact that these names do not occur in ψ and ψ{^w′/ _w }. Moreover, we can assume w.l.o.g. that \(\tilde{n} \cap(\mathit {fn}(M) \cup \mathit {fn}(N)) = \emptyset\). Lastly, we will consider the first item (the other one can be proved in a similar way) and thus we can assume that w′∉(fn(M)∪fn(N)).

Let split _ψ (resp. split ₀) be the splitting function (resp. ground splitting function) w.r.t. \(\psi= \nu\tilde{n}. (\sigma\delta_{c_{i},t_{i}}\delta_{w_{i},w})\), w, c ₁,…,c _k , w ₁,…,w _k , t ₁,…,t _k . Let \(w'_{1},\ldots, w'_{k}\) be distinct fresh names (we assume w.l.o.g. that they do not occur in M and N). We denote by # _w M the number of occurrences of w in M, and by #M the size of M.⁵ We denote by |M| the measure (# _w M,#M) and we use the lexicographic ordering. We show by induction on max(|M|,|N|) that:

1. 1.

   \([\mathsf {split}_{\psi}(M)(\sigma\delta_{w_{i},w'_{i}})]\delta_{w_{i},w}\delta _{c_{i},t'_{i}}\delta_{w'_{i},w'} =_{\mathsf {E}}M(\sigma\delta_{c_{i},t'_{i}}\delta_{w_{i},w'})\)

2. 2.

   (M= _E N)ψ ⇒ (M= _E N)(ψ{^w′/ _w })

where

• \(\delta_{w_{i},w'_{i}} = \{^{w'_{1}}/{}_{w_{1}}\} \dots \{^{w'_{k}}/{}_{w_{k}}\}\);

• \(t'_{i} = t_{i}\{^{w'}/{}_{w}\}\) for 1≤i≤k, and \(\delta_{c_{i},t'_{i}} = \{^{t'_{1}}/{}_{c_{1}}\} \dots \{^{t'_{k}}/{}_{c_{k}}\}\);

• \(\delta_{w_{i},w'}= \{^{w'}/{}_{w_{1}}\} \dots \{^{w'}/{}_{w_{k}}\}\); and

• \(\delta_{w'_{i},w'}= \{^{w'}/{}_{w'_{1}}\} \dots \{^{w'}/{}_{w'_{k}}\}\).

Base case: max(|M|,|N|)≤(1,1). This means that M (resp. N) do not contain any occurrence of w, or M (resp. N) is equal to w.

1. 1.

   In both cases, we have that split _ψ (M)=M. This comes from the fact that w is not deducible from νw.ψ since all the occurrences of w are under an h. Hence, we have that:

   $$\begin{array}{l@{\quad }l} [\mathsf {split}_{\psi}(M) (\sigma\delta_{w_i,w'_i})] \delta_{w_i,w}\delta_{c_i,t'_i}\delta_{w'_i,w'} \\ \quad =_\mathsf {E}\, M(\sigma\delta_{w_i,w'_i}\delta_{c_i,t'_i}\delta_{w'_i,w'}) & \mbox{since $w_{i},c_{i},w'_{i} \notin \mathit {fn}(M)$}\\ \quad =_\mathsf {E}\; M(\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}) & \mbox{since $w'_{i} \notin \mathit {fn}(\sigma)$}\\ \end{array} $$
2. 2.

   The second point can be proved as follows:

   $$\begin{array}{l@{\quad }l} (M =_\mathsf {E}N)\psi\\[3pt] \quad \Rightarrow\quad M(\sigma\delta_{c_i,t_i}\delta_{w_i,w}) =_\mathsf {E}N(\sigma\delta_{c_i,t_i}\delta_{w_i,w}) & \mbox{by def. of $\psi$}\\[3pt] \quad \Rightarrow\quad \mathsf {split}_0( M(\sigma\delta_{c_i,t_i}\delta_{w_i,w}) ) =_\mathsf {E}\mathsf {split}_0( N(\sigma\delta_{c_i,t_i}\delta_{w_i,w})) & \mbox{Lemma~{14}}\\[3pt] \quad \Rightarrow\quad \mathsf {split}_{\psi}(M)\sigma=_\mathsf {E}\mathsf {split}_{\psi}(N)\sigma& \mbox{Lemma~{15}}\\[3pt] \quad \Rightarrow\quad (\mathsf {split}_{\psi}(M) =_\mathsf {E}\mathsf {split}_{\psi}(N))\phi&\\[3pt] \hphantom{\quad \Rightarrow\qquad}\mbox{since $(\mathit {fn}(\mathsf {split}_{\psi}(N)) \cup \mathit {fn}(\mathsf {split}_{\psi}(M))) \cap\tilde{n} = \emptyset$}\\[3pt] \quad \Rightarrow\quad (\mathsf {split}_{\psi}(M) =_\mathsf {E}\mathsf {split}_{\psi}(N))(\phi\delta _{w_i,w'_i}) & \mbox{since $\phi\mathrel{\approx}\phi\delta_{w_{i},w'_{i}}$}\\[3pt] \quad \Rightarrow\quad \mathsf {split}_{\psi}(M)(\sigma\delta_{w_i,w'_i}) =_\mathsf {E}\mathsf {split}_{\psi}(N)(\sigma\delta_{w_i,w'_i})\\[3pt] \quad \Rightarrow\quad \mathsf {split}_{\psi}(M)(\sigma\delta_{w_i,w'_i}) \delta _{w_i,w}\delta_{c_i,t'_i}\delta_{w'_i,w'}\\[3pt] \hphantom{\quad \Rightarrow\quad} =_\mathsf {E}\mathsf {split}_{\psi}(N)(\sigma\delta_{w_i,w'_i})\delta_{w_i,w}\delta _{c_i,t'_i}\delta_{w'_i,w'} \\[3pt] \quad \Rightarrow\quad M(\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}) =_\mathsf {E}N(\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}) &\mbox{item $1$ (base case)}\\[3pt] \quad \Rightarrow\quad (M =_\mathsf {E}N)(\psi \{^{w'}/{}_{w}\}) \end{array} $$

Induction step: max(|M|,|N|)≥(1,2). We assume w.l.o.g. that |M|≥|N|, thus M=f(M ₁,…,M _ℓ ). As for each 1≤i≤k we have that νw.ψ⊢t _i there exist ζ _i such that \(\mathit {fn}(\zeta_{i}) \cap(\{c_{1},\ldots,c_{k},w_{1},\ldots,w_{k},w\}\cup\tilde{n}) = \emptyset\) and \(\zeta_{i}(\sigma\delta_{c_{i},t_{i}}\delta_{w_{i},w}) =_{\mathsf {E}}t_{i}\).

1. 1.

   To establish the first point, we distinguish two cases.

   • f=h, ℓ=2, \((M_{1} =_{\mathsf {E}}\zeta_{i_{0}})\psi\), and (M ₂= _E w)ψ for some i ₀∈{1,…,k}. Applying our induction hypothesis, we deduce that \((M_{1} =_{\mathsf {E}}\zeta_{i_{0}})(\psi \{^{w'}/{}_{w}\})\) and (M ₂= _E w)(ψ{^w′/ _w }). Note that \(\#_{w} \zeta_{i_{0}} = 0\) and # _w M ₂≥1 (it is not possible to deduce w without using it explicitly). Hence, we can indeed apply our induction hypothesis in order to deduce that:

     $$\begin{array}{rcl} [\mathsf {split}_{\psi}(M)(\sigma\delta_{w_i,w'_i})]\delta_{w_i,w}\delta _{c_i,t'_i}\delta_{w'_i,w'} & =_\mathsf {E}& \mathsf {h}(c_{i_0},w_{i_0}) \delta_{w_i,w}\delta_{c_i,t'_i}\delta _{w'_i,w'}\\[3pt] &=_\mathsf {E}& \mathsf {h}(t'_{i_0},w)\\[3pt] &=_\mathsf {E}& \mathsf {h}(M_1 (\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}), M_2 (\sigma\delta_{c_i,t'_i}\delta_{w_i,w'})) \\[3pt] &=_\mathsf {E}& M(\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}) \end{array} $$

   • Otherwise, split _ψ (M)=f(split _ψ (M ₁),…,split ψ(M _ℓ )), and thus we have that:

     $$\begin{array}{l} [\mathsf {split}_{\psi}(M)(\sigma\delta_{w_i,w'_i})]\delta_{w_i,w}\delta _{c_i,t'_i}\delta_{w'_i,w'}\\[3pt] \quad =_\mathsf {E}[\mathsf {f}(\mathsf {split}_{\psi}(M_1), \ldots, \mathsf {split}_{\psi}(M_\ell))(\sigma\delta_{w_i,w'_i})]\delta _{w_i,w}\delta_{c_i,t'_i}\delta_{w'_i,w'}\\[3pt] \quad =_\mathsf {E}\mathsf {f}(\mathsf {split}_{\psi}(M_1)(\sigma\delta_{w_i,w'_i}) \delta _{w_i,w}\delta_{c_i,t'_i}\delta_{w'_i,w'}, \ldots, \mathsf {split}_{\psi}(M_\ell)(\sigma\delta_{w_i,w'_i})\delta_{w_i,w}\delta _{c_i,t'_i}\delta_{w'_i,w'})\\[3pt] \quad =_\mathsf {E}\mathsf {f}(M_1(\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}), \ldots, M_\ell(\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}))\\[3pt] \quad =_\mathsf {E}\mathsf {f}(M_1,\ldots,M_\ell) (\sigma\delta_{c_i,t'_i}\delta _{w_i,w'})\\[3pt] \quad =_\mathsf {E}M(\sigma\delta_{c_i,t'_i}\delta_{w_i,w'}) \end{array} $$
2. 2.

   This point can be proved as in the base case.

The second implication, (M= _E N)(ψ{^w′/ _w })⇒(M= _E N)ψ can be proved in a similar way. This allows us to conclude the proof. □

3.2 C.2 Proof of Proposition 4

Lemma 6

Let t ₁,…,t _k be distinct ground terms modulo E and c ₁,…,c _k ,w ₁,…,w _k be distinct fresh names. Let  \(\phi= \nu\tilde{n}.\sigma\), \(\tilde{\phi} = \nu\tilde{n}. \tilde{\sigma}\) and \(\phi' = \nu\tilde{n}. \sigma'\) be three frames such that w∉fn(σ), and \(w, w_{1}, \ldots, w_{k}, c_{1},\ldots, c_{k} \notin \tilde{n}\). Moreover, we assume that \(\sigma \delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{\sigma}\), \(\sigma=_{\mathsf {E}}\sigma'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\), and c ₁,…,c _k ∉fn(σ′). If \(\nu w. \tilde{\phi} \vdash_{\mathsf {E}}\tilde{M}\) and \(\{w_{1}, \dots, w_{k}, c_{1}, \dots, c_{k} \} \cap \mathit {fn}(\tilde{M}) = \emptyset\) for some ground term \(\tilde{M}\) then there exist ground terms M,M′ such that c ₁,…,c _k ∉fn(M′), w∉fn(M), \(M\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{M}\), \(M=_{\mathsf {E}}M'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\), and νw ₁.…νw _k .ϕ⊢ _E M.

Proof

Let \(\tilde{M}\) be a ground term such that \(\nu w. \tilde{\phi} \vdash_{\mathsf {E}}\tilde{M}\) and \(\{w_{1}, \dots, w_{k}, c_{1}, \dots, c_{k} \} \cap \mathit {fn}(\tilde{M}) = \emptyset\). Thus, there exists a term ζ such that \(\mathit {fn}(\zeta) \cap(\tilde{n}\cup\{w, w_{1}, \dots, w_{k}, c_{1}, \dots, c_{k}\}) = \emptyset\), \(\mathit {fv}(\zeta) \subseteq \operatorname {dom}(\tilde{\sigma})\), and \(\zeta\tilde{\sigma} =_{\mathsf {E}}\tilde{M}\). Let M′=ζσ′ and \(M = \mathsf {split}_{0}(\zeta\tilde{\sigma})\) where split ₀ is the ground splitting function w.r.t. w, c ₁,…,c _k , w ₁,…,w _k , t ₁,…,t _k . We have that c ₁,…,c _k ∉fn(M′), and w∉fn(M). By hypothesis, we have that \(\zeta\tilde{\sigma} =_{\mathsf {E}}\tilde{M}\). Thus, thanks to Lemma 14, we have that \(M = \mathsf {split}_{0}(\zeta\tilde{\sigma}) =_{\mathsf {E}}\mathsf {split}_{0}(\tilde{M})\). Now, thanks to Lemma 15, we deduce that \(\mathsf {split}_{\tilde{\phi}}(\zeta)\sigma=_{\mathsf {E}}M\) where \(\mathsf {split}_{\tilde {\phi}}\) is the splitting function w.r.t. \(\tilde{\phi}\), w, c ₁,…,c _k , w ₁,…,w _k , t ₁,…,t _k . Actually, since \(\tilde{\sigma} = \sigma \delta _{c_{i},t_{i}} \delta _{w_{i},w}\) and \(\sigma=_{\mathsf {E}}\sigma'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\), we have that w only appears under h and hence is not deducible from \(\nu w. \tilde{\phi}\). This allows us to show that \(\mathsf {split}_{\tilde{\phi}}(\zeta) = \zeta\). Hence, we have that ζσ= _E M. Lastly, we have that

• \(M =_{\mathsf {E}} \zeta\sigma=_{\mathsf {E}}(\zeta\sigma')\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}= M'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\), and

• \(M\delta_{c_{i},t_{i}}\delta_{w_{i},w} =_{\mathsf {E}} [(\zeta\sigma')\delta_{w_{i},\mathsf {h}(c_{i},w_{i})}]\delta_{c_{i},t_{i}}\delta_{w_{i},w} = (\zeta\sigma) \delta_{c_{i},t_{i}}\delta_{w_{i},w} = \zeta\tilde {\sigma}\).

This allows us to conclude the proof. □

Lemma 7

Let t ₁,…,t _k be distinct ground terms modulo E and c ₁,…,c _k ,w ₁,…,w _k be distinct fresh names. Let M, N, \(\tilde{M}\) and \(\tilde{N}\) be four terms such that

• \(\tilde{M} = M\delta _{c_{i},t_{i}} \delta _{w_{i},w}\) and \(\tilde{N} = N\delta _{c_{i},t_{i}} \delta _{w_{i},w}\) with w∉fn(M)∪fn(N);

• \(M =_{\mathsf {E}}M' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) and \(N =_{\mathsf {E}}N' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) for some terms M′ and N′ such that c ₁,…,c _k ∉fn(M′)∪fn(N′).

Then, we have that \(M =_{\mathsf {E}}N \ \mbox{\textit{if and only if}}\ \tilde{M}=_{\mathsf {E}}\tilde{N}\).

Proof

As = _E is closed under substitution of terms for names M= _E N implies \(\tilde{M}=_{\mathsf {E}}\tilde{N}\). Now, let M and N be two terms such that \(\tilde{M} =_{\mathsf {E}}\tilde{N}\) where \(\tilde{M} = M\delta _{c_{i},t_{i}} \delta _{w_{i},w}\) and \(\tilde{N} = N\delta _{c_{i},t_{i}} \delta _{w_{i},w}\). Thus, according to Lemma 14, we have that

$$\mathsf {split}_0(M\delta _{c_i,t_i} \delta _{w_i,w}) =_\mathsf {E}\mathsf {split}_0(N \delta _{c_i,t_i} \delta _{w_i,w}) $$

where split ₀ represents the splitting function w.r.t. w, c ₁,…,c _k , w ₁,…,w _k , t ₁,…,t _k . Now, it is easy to establish, by structural induction on M and N and by relying on the fact that \(M =_{\mathsf {E}}M' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) for some term M′, and \(N =_{\mathsf {E}}N' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) for some term N′, that:

$$\mathsf {split}_0(M\delta _{c_i,t_i} \delta _{w_i,w}) =_E M \quad \mathrm{and} \quad \mathsf {split}_0(N\delta _{c_i,t_i} \delta _{w_i,w}) =_E N. $$

This allows us to conclude. □

We will prove Proposition 4 by induction on the prooftree witnessing the derivation. First, we establish a similar result for ≡.

Lemma 16

Let t ₁,…,t _k be distinct ground terms modulo E and c ₁,…,c _k ,w ₁,…,w _k be distinct fresh names. Let A be an extended process such that bn(A)=∅, w∉fn(A), and \(A =_{\mathsf {E}}A' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) for some A′ such that c ₁,…,c _k ∉fn(A′). Suppose that \(A \delta _{c_{i},t_{i}} \delta _{w_{i},w}\equiv \overline{B}\) for some process  \(\overline{B}\). Then there exist some processes B and B′ such that

• \(\overline{B} = B \delta _{c_{i},t_{i}} \delta _{w_{i},w}\) with w∉fn(B), and

• \(B =_{\mathsf {E}}B' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) with c ₁,…,c _k ∉fn(B′), and

• A≡B.

Proof

Let \(\overline{A} = A\delta _{c_{i},t_{i}} \delta _{w_{i},w}\). We prove this result by induction on the proof tree showing that \(\overline{A} \equiv\overline{B}\). All the base cases that we have to check, i.e. Par-0, Par-C and Par-A, are easy to prove. The only interesting inductive case is the case of an application of an evaluation context. Suppose that the proof tree showing that \(\overline{A} \equiv \overline{B}\) ends with an instance of such a rule, i.e.

$$\frac{\overline{A_1} \equiv\overline{B_1}}{\overline{C}[ \overline{A_1}] \equiv\overline{C}[\overline{B_1}]} \hfill\null $$

where \(\overline{A} = \overline{C}[ \overline{A_{1}}]\) and \(\overline{B} = \overline{C}[\overline{B_{1}}]\). Note that the evaluation context will not contain any ν operator since otherwise bn(A)≠∅. As \(\overline{A} = A \delta _{c_{i},t_{i}} \delta _{w_{i},w}\) we have that there exist A ₁, C such that \(A_{1} \delta _{c_{i},t_{i}} \delta _{w_{i},w}= \overline{A_{1}} \) and \(C \delta _{c_{i},t_{i}} \delta _{w_{i},w}= \overline{C}\). Moreover there exists A′ such that \(C[A_{1}] = A =_{\mathsf {E}}A' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). Hence there also exist C′, \(A_{1}'\) such that \(C =_{\mathsf {E}}C' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) and \(A_{1} =_{\mathsf {E}}A_{1}' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). We can therefore apply our induction hypothesis and we obtain that there exist processes \(B_{1}, B_{1}'\) such that

• \(\overline{B_{1}} = B_{1} \delta _{c_{i},t_{i}} \delta _{w_{i},w}\);

• \(B_{1} =_{\mathsf {E}}B_{1}' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\);

• A ₁≡B ₁.

Let B=C[B ₁] and \(B'=C'[B_{1}']\). We indeed have that

• \(\overline{B} = \overline{C}[ \overline{B_{1}}] = (C \delta _{c_{i},t_{i}} \delta _{w_{i},w}) [B_{1} \delta _{c_{i},t_{i}} \delta _{w_{i},w}] = B \delta _{c_{i},t_{i}} \delta _{w_{i},w}\)

• \(B =C[B_{1}] =_{\mathsf {E}}C'[B'_{1}] \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}= B' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\).

This allows us to conclude the proof. □

Now, we can prove the following proposition.

Proposition 4

Let t ₁,…,t _k be distinct ground terms modulo  E and c ₁,…,c _k ,w ₁,…,w _k be distinct fresh names. Let \(\nu\tilde{n}. A\) be an extended process such that bn(A)=∅, w∉fn(A), and \(A =_{\mathsf {E}} A'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) for some A′ such that c ₁,…,c _k ∉fn(A′). Moreover, we assume that \(w, w_{1},\dots,w_{k},\allowbreak c_{1},\dots,c_{k} \notin \tilde{n}\).

Let  \(\overline{B}\) be such that \(\nu w. \nu\tilde{n}. (A\delta _{c_{i},t_{i}} \delta _{w_{i},w}) \xrightarrow {\ell} \overline{B}\). Moreover, when \(\ell= in(\tilde {M})\) we assume that \(w_{1}, \dots, w_{k}, c_{1},\dots, c_{k} \notin \mathit {fn}(\tilde{M})\). Then there exist extended processes B, B′, and labels ℓ ₀, ℓ′ such that:

• \(\overline{B} \equiv\nu w. \nu\tilde{n}. (B\delta _{c_{i},t_{i}} \delta _{w_{i},w})\) with bn(B)=∅ and w∉fn(B), \(\ell= \ell_{0}\delta _{c_{i},t_{i}} \delta _{w_{i},w}\), and

• \(B =_{\mathsf {E}}B'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) with c ₁,…,c _k ∉fn(B′), \(\ell_{0} =_{\mathsf {E}}\ell' \delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\), and

• \(\nu w_{1} \dots\nu w_{k}. \nu\tilde{n}. A \xrightarrow {\ell_{0}} \nu w_{1} \dots\nu w_{k}. \nu\tilde{n}. B\).

Proof

We have \(\nu w. \nu\tilde{n}. (A \delta _{c_{i},t_{i}} \delta _{w_{i},w}) \xrightarrow {\ell} \overline{B}\). It is easy to see that \(w \in \mathit {bn}(\overline{B})\) and \(\tilde{n}\subseteq \mathit {bn}(\overline{B})\). Indeed, according to our calculus, we can always by using structural equivalence move a restriction in front of the process. Thus we have that \(\overline{B} \equiv\nu w. \nu\tilde{n}. \tilde{B}\) for some process \(\tilde{B}\) such that \(\mathit {bn}(\tilde{B}) = \emptyset\). Let ℓ be the label involved in \(\nu w. \nu\tilde {n}.(A\delta _{c_{i},t_{i}} \delta _{w_{i},w}) \to \overline{B}\). It is easy to see that \(A \delta _{c_{i},t_{i}} \delta _{w_{i},w}\xrightarrow {\ell} \tilde{B}\) and when \(\ell= in(\tilde{M})\), we have that \(\nu w. \nu\tilde{n}(\phi(A) \delta _{c_{i},t_{i}} \delta _{w_{i},w}) \vdash_{\mathsf {E}}\tilde{M}\). Moreover, by hypothesis, we have that \(w_{1}, \ldots, w_{k}, c_{1}, \ldots, c_{k} \notin \mathit {fn}(\tilde{M})\). By Lemma 6, we deduce that \(\nu w_{1}. \ldots\nu w_{k}.\nu\tilde{n}.\phi(A) \vdash_{\mathsf {E}}M\) for some M such that \(M \delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{M}\) and we also know that there exists M′ such that \(M =_{\mathsf {E}}M'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). This allows us, in particular, to ensure that, in the case of an input, the side condition corresponding to an application of evaluation context is satisfied. Now, we show by induction on the proof tree showing that \(A\delta _{c_{i},t_{i}} \delta _{w_{i},w}\xrightarrow {\ell} \tilde{B}\) that there exist processes B,B′, and labels ℓ ₀, ℓ′ such that

• \(\tilde{B} = B\delta _{c_{i},t_{i}} \delta _{w_{i},w}\) with w∉fn(B), and \(\ell= \ell_{0}\delta_{c_{i},t_{i}}\delta_{w_{i},w}\);

• \(B =_{\mathsf {E}}B'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) with c ₁,…,c _k ∉fn(B′), and \(\ell_{0} =_{\mathsf {E}}\ell'\delta_{w_{i},\mathsf {h}(c_{i},w_{i})}\);

• A→B.

This will allows us to conclude that \(\nu w_{1} \dots\nu w_{k}. \nu\tilde {n}. A \to\nu w_{1} \dots\nu w_{k}. \nu\tilde{n}. B\). Note that since \(\mathit {bn}(\tilde{B}) =\emptyset\), we have also that bn(B)=∅.

Base cases.

• In. In such a case, we have \(A \delta _{c_{i},t_{i}} \delta _{w_{i},w}=\text {in}(x). \tilde{P}\) and \(\tilde{B} = \tilde{P} \{^{\tilde{M}}/{}_{x}\}\) for some process \(\tilde{P}\) and some term \(\tilde{M}\). From this, we deduce that A=in(x).P for some process P such that \(P\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{P}\). We have also that \(A = \text {in}(x).P =_{\mathsf {E}}A'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\).

  Thus, there exists P′ with c ₁,…,c _k ∉fn(P′) such that \(P =_{\mathsf {E}}P'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). Moreover, we have already seen that there exists M and M′ such that

  • \(M\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{M}\), and

  • \(M =_{\mathsf {E}}M'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\).

  Let B=P{^M/ _x }, B′=P′{^M′/ _x }, ℓ ₀=in(M), and ℓ′=in(M′). It is easy to check that the three conditions hold.

• Out. In such a case, we have \(A \delta _{c_{i},t_{i}} \delta _{w_{i},w}= \text {out}(\tilde{M}).\tilde{P}\) and \({\tilde{B} = \tilde{P} \mid \{^{\tilde{M}}/{}_{x}\}}\) for some process \(\tilde{P}\) and some term \(\tilde{M}\). From this, we deduce that A=out(M).P for some term M and some process P such that \(M\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{M}\), and \(P\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{P}\). We have also that \(A = \text {out}(M).P =_{\mathsf {E}}A'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\).

  Thus, there exist M′ and P′ such that \(M =_{\mathsf {E}}M'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) and \(P =_{\mathsf {E}}P'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). Moreover, we have that c ₁,…,c _k ∉fn(M′)∪fn(P′). Let B=P∣{^M/ _x }, B′=P′∣{^M′/ _x }, ℓ ₀=out(M), and ℓ′=out(M′). It is easy to check that the three conditions hold.

• Event. In such a case, we have \(A \delta _{c_{i},t_{i}} \delta _{w_{i},w}= \text {ev}(\tilde{M}).\tilde{P}\) and \({\tilde{B} = \tilde{P} \mid \{^{\tilde{M}}/{}_{x}\}}\) for some process \(\tilde{P}\) and some terms \(\tilde{M}\). From this, we deduce that A=ev(M).P for some terms M and some process P such that \(M\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{M}\), and \(P\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{P}\). We have also that \(A = \text {ev}(M).P =_{\mathsf {E}}A'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\).

  Thus, there exist M′ and P′ such that \(M =_{\mathsf {E}}M'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) and \(P =_{\mathsf {E}}P'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). Moreover, we have that c ₁,…,c _k ∉fn(M′)∪fn(P′). Let B=P, B′=P′, ℓ ₀=ev(M), and ℓ′=ev(M′). It is easy to check that the three conditions hold.

• Then. In such a case, we have \(A \delta _{c_{i},t_{i}} \delta _{w_{i},w}= \mbox{if } \tilde{M}_{1} = \tilde{M}_{2} \mbox{ then } \tilde{P} \mbox{ else } \tilde{Q}\) for some terms \(\tilde{M}_{1}\) and \(\tilde{M}_{2}\) and some processes \(\tilde{P}\) and \(\tilde{Q}\) such that \(\tilde {M}_{1} =_{\mathsf {E}}\tilde{M}_{2}\) and \(\tilde{B} = \tilde{P}\). From this, we deduce that A=if M ₁=M ₂ then P else Q for some terms M ₁,M ₂ and some processes P,Q such that \(M_{i}\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{M}_{i}\) (i=1,2), \(P\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{P}\), and \(Q\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{Q}\). We have also that \(A = \mbox{if } M_{1} = M_{2} \mbox{ then } P \mbox{ else } Q =_{\mathsf {E}}A'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\).

  Thus, there exist \(M'_{1}\), \(M'_{2}\), P′ and Q′ such that:

  • \(M_{i} =_{\mathsf {E}}M'_{i}\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) (i=1,2),

  • \(P =_{\mathsf {E}}P'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\), and

  • \(Q =_{\mathsf {E}}Q'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\).

  Moreover, we have that \(c_{1},\ldots, c_{k} \notin \mathit {fn}(M'_{1}) \cup \mathit {fn}(M'_{2}) \cup \mathit {fn}(P') \cup \mathit {fn}(Q')\). Let B=P, B′=P′, and ℓ ₀=ℓ=τ. It is easy to see that the two first conditions hold. For the last one, we have to show that M ₁= _E M ₂. This can be easily done thanks to Lemma 7.

• Else. This case is similar to the previous one.

Inductive cases. The inductive case corresponding to application of structural equivalence directly follows from Lemma 16. It remains to show the case of an application of an evaluation context. In such a case, we have \({A \delta _{c_{i},t_{i}} \delta _{w_{i},w}\xrightarrow {\ell} \tilde{B}}\) finishes by an application of the following rule

$$\frac{\tilde{A}_1\xrightarrow {\ell} \tilde{B}_1}{\tilde {C}[\tilde{A}_1] \xrightarrow {\ell} \tilde{C} [\tilde{B}_1]} \hfill\null $$

where \(A\delta _{c_{i},t_{i}} \delta _{w_{i},w}=\tilde{C}[\tilde{A}_{1}]\) and \(\tilde{B} = \tilde{C}[\tilde{B}_{1}]\). From this, we deduce that A=C[A ₁] for some context C and some process A ₁ such that \(C\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{C}\) and \(A_{1}\delta _{c_{i},t_{i}} \delta _{w_{i},w}= \tilde{A}_{1}\). We have \(A = C[A_{1}] =_{\mathsf {E}}A'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). Thus, there exist C′ and \(A'_{1}\) such that \(C =_{\mathsf {E}}C'\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\), and \(A_{1} =_{\mathsf {E}}A'_{1}\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\). Hence we can apply our induction hypothesis to obtain that there exist \(B'_{1}\), B ₁, ℓ ₀, and ℓ′ such that

• \(\tilde{B}_{1} \equiv B_{1}\delta _{c_{i},t_{i}} \delta _{w_{i},w}\) with w∉fn(B ₁), and \(\ell= \ell_{0}\delta_{c_{i},t_{i}}\delta_{w_{i},w}\);

• \(B_{1} =_{\mathsf {E}}B'_{1}\delta _{w_{i},\mathsf {h}(c_{i},w_{i})}\) with \(c_{1},\ldots, c_{k} \notin \mathit {fn}(B'_{1})\), and \(\ell_{0} =_{\mathsf {E}}\ell'\delta_{w_{i},\mathsf {h}(c_{i},w_{i})}\);

• A ₁→B ₁.

Let B=C[B ₁] and \(B'= C'[B'_{1}]\). The three conditions hold and this allows us to conclude the proof. □

3.3 C.3 Proof of Theorem 3

Theorem 3

Let \(\mathcal{P} = \nu w. (\nu\tilde{m}_{1}. P_{1} \mid\cdots\mid \nu\tilde{m}_{\ell}. P_{\ell})\) be a password protocol specification and \(\mathcal{P}'\) be such that \(\overline{\mathcal{P}} = \nu w. \mathcal{P}'\), and \(\mathcal{P}'_{1}, \ldots\mathcal{P}'_{p}\) be p instances of  \(\mathcal{P}'\).

1. 1.

   Let t be a ground term that occurs as a subterm in  \(\mathcal{P}'_{i}\) for some i∈{1,…,p}. If \(\nu w. \mathcal{P}'_{i}\) preserves secrecy of t, then we have that \(\nu w. (\mathcal{P}'_{1} \mid\cdots\mid\mathcal{P}'_{p})\) preserves secrecy of \(t\{^{\mathsf {h}(t_{i},w)}/{}_{w}\}\).

2. 2.

   Let \(\varPhi= \text {ev}(\tilde{x}) \Rightarrow_{(\mathsf {inj})} \text {ev}(\tilde{x})\) be a correspondence property (injective or not). If Φ holds on  \(\mathcal{P}\), then Φ holds on \(\nu w. (\mathcal{P}'_{1} \mid\cdots\mid\mathcal{P}'_{p})\).

3. 3.

   If \(\mathcal{P}\) is resistant to guessing attacks against w, then we have that \(\nu w. (\mathcal{P}'_{1} \mid \ldots\mid\mathcal{P}'_{p})\) is resistant to guessing attacks against w.

Proof

We suppose w.l.o.g. that \(\mathcal{P}'_{i} = \nu\tilde{m}_{i,1} \nu n_{i,1}. P_{i,1} \mid\cdots\mid\nu\tilde{m}_{i,\ell} \nu n_{i,\ell}. P_{i,\ell}\) where

$${P_{i,j}} = \text {in}(x^1_{i,j} ). \ldots \text {in}(x^{j-1}_{i,j} ). \text {out}(n_{i,j}).\text {in}(x^{j+1}_{i,j} ). \ldots \text {in}(x^{\ell}_{i,j} ). P'_{i,j} $$

for some \(P'_{i,j}\) (1≤i≤p,1≤j≤ℓ).

By contradiction, suppose that \(P = \nu w.(\mathcal{P}'_{1} \mid\ldots \mid\mathcal{P}'_{p})\) admits an attack. Throughout the proof we refer to an attack as being either an attack on secrecy, on a correspondence property or a guessing attack. Hence there exists Q such that P→^∗ Q is the derivation exhibiting this attack. We assume w.l.o.g. that the derivation is maximal, i.e. there is no Q′ such that Q→Q′. This allows us to ensure that all the preambles have been executed. We are going to show that there exists an attack on \(\mathcal{P}\) contradicting the hypothesis.

Step 1

We will first regroup the different roles of the protocol instances according to their tag. For this we need to identify the tag t _i,j that is computed by P _i,j during the attack derivation. We have that \(P \xrightarrow {\ell_{1}} P_{1} \xrightarrow {\ell_{2}} \cdots P_{q-1}\xrightarrow {\ell_{q}} P_{q}=Q\) and for each \(x^{k}_{i,j}\) such that \(j \not= k\) there exists r such that \(P_{r} \equiv C[\text {in}(x^{k}_{i,j}).P'] \xrightarrow {\text {in}(M^{k}_{i,j})} C[P'\{^{M^{k}_{i,j}}/{}_{x^{k}_{i,j}}\}]\equiv P_{r+1}\). Moreover, for each i,j such that 1≤i≤p,1≤j≤ℓ there exists \(y_{i,j} \in \operatorname {dom}(\phi(Q))\) such that y _i,j ϕ(Q)=n _i,j . Let \(M^{j}_{i,j} = n_{i,j}\). We define \(t_{i,j} = \langle M^{1}_{i,j}, \langle\ldots\langle M^{\ell- 1}_{i,j}, M^{\ell}_{i,j} \rangle\rangle\rangle\). We note that ϕ(Q)⊢t _i,j for all i,j such that 1≤i≤p,1≤j≤ℓ. Intuitively, t _i,j is the tag which has been computed by process P _i,j in the attack derivation.

Next we regroup the roles in P according to the tag they used. Let tag ₁,…,tag _k be the different terms (modulo E) that occur in {t _i,j |1≤i≤ℓ and 1≤j≤p}. By definition, the terms tag ₁,…,tag _k are distinct modulo E. We group the different processes of P according to the value of the tag in the derivation, i.e., we define

$$\overline{A_r} = \nu\tilde{m}_r. \vert_{i,j\ s.t.\ t_{i,j}= tag_r} P_{i,j} \quad \mbox{where } \tilde{m}_r = \biggl(\, \bigcup_{i,j\ s.t.\ t_{i,j}= tag_r} \tilde{m}_{i,j}, n_{i,j}\biggr) $$

We have that \(P \equiv\nu w. (\overline{A_{1}} \mid\cdots\mid \overline{A_{k}})\) and we let \(\tilde{m}\) stand for the sequence \(\nu\tilde{m}_{1} \ldots\nu \tilde{m}_{k}\).

Step 2

The aim of this step is to show that an attack on a transformed protocol also exists on a protocol that is tagged with constants (instead of the constructed tag) and different passwords (instead of the same password).

We first instantiate the tag of each role P _i,j by the tag that has been computed in the attack derivation. Define the process \(\overline{P}_{0}\) obtained from P by replacing each occurrence of a non-instantiated tag \(\langle x^{1}_{i,j}, \langle\ldots n_{i,j} \ldots\langle x^{\ell- 1}_{i,j}, x^{\ell}_{i,j} \rangle\rangle\rangle\) in \(\overline{A}_{r}\) by the ground term tag _r . It is easy to see that \(\overline{P}_{0} \to^{*} Q\). Moreover, by construction each \(\overline{A_{i}}\) is of the form \(A_{i}\delta_{c_{i},tag_{i}} \delta_{w_{i},w}\) with \(A_{i} = A'_{i}\delta_{w,\mathsf {h}(c_{i},w_{i})}\) for some A _i , \(A_{i}'\) and c ₁,…c _k ,w ₁,…w _k which do not occur in \(\overline{P}_{0}\). As w ₁,…w _k ,c ₁,…c _k do not occur in \(\overline{P}_{0}\) we assume w.l.o.g. that they do not occur in any label among this derivation.

Let \(\overline{P}_{n} = Q\) and P ₀=(νw ₁.A ₁∣…∣νw _k .A _k ). By iterating Proposition 4 we have that there exist two extended processes P _n , \(P'_{n}\) and two sequences of labels \(\ell^{0}_{1}, \ldots, \ell^{0}_{n}\) and \(\ell'_{1}, \ldots, \ell'_{n}\) such that:

• \(\overline{P}_{n} \equiv\nu w. \nu \tilde{m}. (P_{n}\delta_{c_{i},t_{i}}\delta_{w_{i},w})\) with bn(P _n )=∅, w∉fn(P _n ), and \(\overline{\ell_{j}} = \ell^{0}_{j}\delta_{c_{i},t_{i}}\delta_{w_{i},w}\) for any j∈{1,…,n};

• \(P_{n} =_{\mathsf {E}}P'_{n}\delta_{w_{i},\mathsf {h}(c_{i},w_{i})}\) with \(c_{1},\ldots, c_{k} \notin \mathit {fn}(P'_{n})\), and \(\ell^{0}_{j} =_{\mathsf {E}}\ell'_{j}\delta_{w_{i},\mathsf {h}(c_{i},w_{i})}\) for any j∈{1,…,n}, and

• \(P_{0} \xrightarrow {\ell^{0}_{1}} \cdots \xrightarrow {\ell^{0}_{n}} \nu w_{1}.\ldots. \nu w_{k}. \nu\tilde{m}. P_{n}\).

Exactly as in the proof of Theorem 2, using Lemmas 6, 7 and 8 we show that the derivation \(P_{0}\xrightarrow {{\ell^{0}_{1}}} \cdots \xrightarrow {{\ell^{0}_{n}}} \nu w_{1}.\ldots. \nu w_{k}. \nu\tilde{m}. P_{n}\) also admits an attack.

Step 3

In the final step we are going to show that the attack already existed on an instance of \(\mathcal{P}\) contradicting the hypothesis.

By Proposition 1, we have for some r that \(\nu w_{r}. \nu\tilde{m}_{r}. A_{r}\) admits an attack. We have that \(A_{r} = \vert_{i,j\ s.t.\ t_{i,j}= tag_{r}} Q_{i,j}\) and the Q _i,j s are of the form

$${Q_{i,j}} = \text {in}(x^1_{i,j} ). \ldots \text {in}(x^{j-1}_{i,j} ). \text {out}(n_{i,j}). {\text {in}(x^{j+1}_{i,j} )}. \ldots \text {in}(x^{\ell}_{i,j} ). Q'_{i,j} $$

for some \(Q'_{i,j}\) such that \(x^{1}_{i,j}, \ldots, x^{j-1}_{i,j}, n_{i,j}, x^{i+1}_{i,j}, x^{\ell}_{i,j}\) do not occur in \(Q'_{i,j}\). Hence, we also have that \(\nu w_{r}. \nu\tilde{m}_{r}. (\bigm\vert_{i,j\ s.t.\ t_{i,j}= tag_{r}} Q'_{i,j})\) admits an attack. Let \(\tilde{m}'_{r} = \tilde{m}_{r} \smallsetminus\{n_{i,j} \mid t_{i,j} = tag_{r}\}\). We observe that \(\nu\tilde{m}'_{r}. (\bigm\vert_{i,j\ s.t.\ t_{i,j}= tag_{r}} Q'_{i,j}) \equiv R \{^{\mathsf {h}(c_{r},w_{r})}/_{w_{r}} \}\) for some process R such that νw _r .R is an instance of \(\nu w. (\nu \tilde{m}_{i_{1}}. P_{i_{1}} \mid\cdots\mid\nu \tilde{m}_{i_{q}}. P_{i_{q}})\) and \(\{P_{i_{1}}, \ldots, P_{i_{q}}\} \subseteq\{ P_{1}, \ldots P_{\ell}\}\) (multiset inclusion). Note that this holds because in the transformed protocol each of the roles generates a new nonce, and hence each of the Q _i,j s can be associated to at most one of the role of \(\mathcal{P}\) (two instances of the same role would necessarily generate different tags).

Thanks to Theorem 1 we have that there exists an attack on R which implies that there exists an attack on an instance of \(\mathcal{P}\) yielding a contradiction.  □